Software security company Veracode has revealed that organizations should use DevSecOps as a way to reduce security debt. Similar to technical debt, security debt occurs when flaws age and accumulate without getting fixed.
In their 10th annual State of Software Security (SOSS) report, the company revealed that many of the flaws discovered 10 years ago are still present today. In last year’s report, the company had found that 70% of flaws were present one month after discovery, 55% were present after three months, and 25% of high severity vulnerabilities were still present after 290 days.
According to this year’s report, when looking at how fast flaws are addressed, the median time to remediate was 59 days. Veracode explained the typical fix times has remained the same over the last 10 years, but the “ever-accruing security debt just got a lot longer.” While 56% of all security vulnerabilities are fixed, companies that focus on fixing new security vulnerabilities instead of addressing older ones increase their security debt.
Veracode also reported that 83% of applications scanned contained at least one vulnerability during the initial scan. The top vulnerabilities were information leakage (64%), cryptographic issues (62%), and CRLF injection (61%).
The results of the survey show that the longer a vulnerability remained, the less likely it was to be corrected. Just about half of all applications surveyed accrued security debt over time, while a quarter are reducing debt and another quarter are breaking even.
In addition, the report revealed that how frequently an application is scanned correlates to its security debt. The top 1% of applications that had the highest scan frequency experiences five times less security debt than the bottom third of applications. According to Veracode, applications that are scanned monthly show a MTTR of 68 days, while applications that are scanned daily show an MTTR of 19 days.
These results indicate that DevSecOps plays a big role in reducing security debt. Veracode explained that security debt isn’t necessarily an indication that development teams are bad at managing flaws, but that organizations need to rethink how frequent AppSec testing could help them drive down security debt.
“Development teams can’t ignore the findings nor choose to fix the new flaws rather than the old ones. Instead, they should make a plan to fix the new findings and use periodic ‘security sprints’ to fix unresolved flaws that could be exploited,” said Chris Eng, chief research officer at Veracode.
Veracode analyzed over 85,000 applications from over 2,300 companies around the world in its study.